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Abstract 

The framework of algorithmic knowledge assumes that agents use algorithms to compute 
the facts they explicitly know. In many cases of interest, a deductive system, rather than a 
particular algorithm, captures the formal reasoning used by the agents to compute what they 
explicitly know. We introduce a logic for reasoning about both implicit and explicit knowl- 
edge with the latter defined with respect to a deductive system formalizing a logical theory for 
& ■ agents. The highly structured nature of deductive systems leads to very natural axiomatizations 

of the resulting logic when interpreted over any fixed deductive system. The decision prob- 
lem for the logic, in the presence of a single agent, is NP-complete in general, no harder than 
propositional logic. It remains NP-complete when we fix a deductive system that is decidable 
in nondeterministic polynomial time. These results extend in a straightforward way to multiple 
fT) '. agents. 
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It is well known that the standard model of knowledge based on possible worlds is subject to the 
q I problem of logical omniscience, that is, the agents know all the logical consequences of their knowl- 

edge [Fagin, Halpern, Moses, and Vardi 1995, Chapter 9]. Thus, possible-world definitions of 
knowledge make it difficult to reason about the knowledge that agents need to explicitly compute in 
order to make decisions and perform actions, or to capture situations where agents want to reason 
about the knowledge that other agents need to explicitly compute in order to perform actions. 

This observation leads to a distinction between two forms of knowledge, implicit knowledge and 
explicit knowledge (or resource-bounded knowledge), a distinction long recognized [Rosenschein 
1985]. The classical AI approach known as the interpreted symbolic structures approach, where 
knowledge is based on information stored in data structures of the agent, can be seen as an instance 
of explicit knowledge. In contrast, the situated automata approach, which interprets knowledge 
based on information carried by the state of the machine, can be seen as an instance of implicit 
knowledge. Levesque [1984] makes a similar distinction between implicit belief and explicit belief. 

While the possible-worlds approach is taken as the standard model for implicit knowledge, there 
is no standard model for explicit knowledge. A general approach appropriate for many situations 



* A preliminary version of this paper appeared in the Proceedings of the Eighth International Symposium on Artificial 
Intelligence and Mathematics, AI&M 22-2004, 2004. This work was mostly done while the author was at Cornell 
University. 
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is that of algorithmic knowledge [Halpern, Moses, and Vardi 1994]. In the algorithmic knowledge 
framework, the explicit knowledge of an agent is given by a knowledge algorithm that the agent uses 
to establish whether he knows a particular fact. Algorithmic knowledge is sufficiently expressive to 
capture a number of approaches to resource-bounded reasoning that have appeared in the literature 
[Levesque 1984; Konolige 1986; Elgot-Drapkin and Perlis 1990]. 1 

The generality of the algorithmic knowledge approach makes it ideal as a modeling framework. 
One consequence of that generality, however, is that there are no nontrivial logical properties of 
algorithmic knowledge proper, unless we focus on specific classes of knowledge algorithms. This 
consequence is important if the framework is to be used as a specification language for properties of 
multiagent systems, amenable to automated verification. In such a setting, we would like a class of 
knowledge algorithms that can capture properties of interest for the verification task at hand, while 
retaining enough structure to yield a tractable or analyzable framework. This structure will typically 
implies a number of properties of the corresponding algorithmic knowledge operator, which can be 
used to study properties of multiagent systems purely deductively. This general observation leads 
naturally to a program of studying interesting classes of knowledge algorithms. 

In this paper, we study a form of algorithmic knowledge, deductive algorithmic knowledge, 
where the explicit knowledge of agents comes from a logical theory expressed by a deductive sys- 
tem made up of deduction rules, in which the agents perform their reasoning about the facts they 
know. Many useful forms of explicit knowledge can be formalized using deductive systems. For in- 
stance, Horn theories [Selman and Kautz 1996], which have been used to approximate more general 
knowledge bases, fit into this framework. Explicit knowledge via a deductive system can be viewed 
as a form of algorithmic knowledge, where the knowledge algorithm used by an agent attempts to 
infer whether a fact is derivable from the deduction rules provided by the agent's deductive system. 
Among other advantages, viewing deductive algorithmic knowledge as an instance of algorithmic 
knowledge lets us model "feasible" explicit knowledge, by considering deductive systems whose 
corresponding knowledge algorithm is efficient (e.g., runs in polynomial time). The approach to 
modeling explicit knowledge through deductive systems is essentially that of Konolige [1986]. The 
basic idea, which we review in Section 2, is that a deductive system is a set of rules that describe 
how to infer new facts from old facts. We take the initial facts of an agent to be his observations, 
that is, what the agent can determine simply by examining his local state. 

We describe in Section 3 a logic for reasoning about both implicit knowledge and deductive 
algorithmic knowledge, with formulas Kip to express implicit knowledge of ip, and Xip to ex- 
press deductive algorithmic knowledge of tp. For simplicity, the logic we present is propositional, 
although there is no difficulty in extending it to a first-order setting. (Of course, the standard ques- 
tions about interactions between quantification and modal operators arise in such a setting.) Why 
reason about two forms of knowledge? It turns out that in many situations, one wants to reason about 
both forms of knowledge. Intuitively, implicit knowledge is useful for specifications and describes 
"ideal" knowledge, while deductive algorithmic knowledge is useful to capture the knowledge that 
agents can actually compute and use. Consider the following example. In previous work, we showed 
how the framework of algorithmic knowledge could be used to reason about agents communicating 
through cryptographic protocols [Halpern and Pucella 2002]. Algorithmic knowledge is useful to 

'While we focus on knowledge in this paper, much of our development applies equally well to belief. In fact, since we 
do not assume that knowledge algorithms necessarily return the correct answer, one could argue that the kind of knowl- 
edge provided by knowledge algorithms is really belief. For consistency with the literature on algorithmic knowledge, 
however, we shall continue to use the terminology "algorithmic knowledge". 
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model an adversary that has certain capabilities for decoding the messages he intercepts. There are 
of course restrictions on the capabilities of a reasonable adversary. For instance, the adversary may 
not explicitly know that he has a given message if that message is encrypted using a key that the 
adversary does not know. To capture these restrictions, Dolev and Yao [1983] gave a now-standard 
description of capabilities of adversaries. Roughly speaking, a Dolev-Yao adversary can decom- 
pose messages, or decipher them if he knows the right keys, but cannot otherwise "crack" encrypted 
messages. The adversary can also construct new messages by concatenating known messages, or 
encrypting them with a known encryption key. It is natural to formalize a Dolev-Yao adversary us- 
ing a deductive system that describes what messages the adversary possesses based on the messages 
he has intercepted, and what messages the adversary can construct. This lets us describe properties 
such as "the adversary can compute (i.e., explicitly knows) the secret exchanged during the protocol 
run". To capture the fact that some other agent in the system knows that a secret exchanged during 
the protocol run in fact remains a secret from the adversary, we can use implicit knowledge, as in 
"agent A knows (i.e., implicitly knows) that the adversary cannot compute (i.e., explicitly knows) 
the secret exchanged during the protocol run". In this sense, specifications can refer to both kinds 
of knowledge. (The specification above requires an extension of the logic to handle multiple agents; 
see Section 6.) 

A key operator in the logic is the operator Ob that identifies the observations made at a state. 
In a precise sense, this operator is the connection between implicit knowledge and explicit knowl- 
edge: deductive algorithmic knowledge uses observations as the initial facts from which further 
facts explicitly known are derived, while implicit knowledge uses observations to distinguish states, 
in that two states are indistinguishable exactly when the agent has the same observations in both 
states. Thus, we can study the interaction between implicit and explicit knowledge, and go be- 
yond previous work that only attempts to model explicit knowledge [Konolige 1986; Giunchiglia, 
Serafini, Giunchiglia, and Frixione 1993]. Our work shows one way to combine a standard possible- 
worlds account of implicit knowledge with a deductive system representing the explicit knowledge 
of agents, and to reason about both simultaneously. 

A principal goal of this paper is to study the technical properties of the resulting logic, such as 
axiomatizations and complexity of decision problems, and see how they relate to properties of the 
deductive systems. In Section 4, we study axiomatizations for reasoning about specific deductive 
systems. Not surprisingly, if we do not make any assumption on the deductive system, there are very 
few properties captured by the axiomatization, which is essentially a slight extension of well-known 
axiomatizations for implicit knowledge. However, if we restrict our attention to models where the 
agent uses a specific deductive system, then the properties of X depend on that deductive system. 
Intuitively, we should be able to read off the properties of X from the deduction rules. We formalize 
this intuition by showing that we can derive sound and complete axiomatizations for our logic with 
respect to models equipped with a specific deductive system, where the axiomatization is derived 
mechanically from the rules of the deductive system. 

In Section 5, we address the complexity of the decision problem for the logic in the presence of 
a single agent, that is, the complexity of deciding if a formula of the logic is satisfiable with respect 
to a class of models. Without any assumption on the deductive systems, deciding satisfiability is 
NP-complete; this is not surprising, since the logic in that context is essentially just a logic of 
implicit knowledge, known to be NP-complete [Ladner 1977] when there is a single agent. If we 
fix a specific deductive system, then deciding satisfiability with respect to the class of models using 
that deductive system is NP-hard, and it is possible to show NP-completeness when the deductive 
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system is itself decidable in nondeterministic polynomial time and the models considered have a 
small number of observations at each state. 

In Section 6, we consider a natural extension of our framework to reason about multiple agents. 
This is needed to study the Dolev-Yao example given above in its full generality, or any interesting 
example from the multiagent systems literature. The extension is straightforward, and many of the 
results generalize in the obvious way, justifying our decision to focus on the single agent model for 
the bulk of the paper. For instance, the complexity of the decision problem when there are multiple 
agents becomes PSPACE-complete, again following from logics of implicit knowledge themselves 
having PSPACE-complete decision problems [Halpern and Moses 1992] in the presence of multiple 
agents. The proofs of our technical results are deferred to the appendices. 

2 Deductive Systems 

We start by defining the framework in which we capture the logical theories of the agents, that is, 
their deductive or inferential powers. We distinguish the logical theories of the agents from the logic 
that we introduce in the next section to reason about a system and what agents in the system know. 
We can therefore model agents with different inferential powers, without affecting the logic itself. 

Following common practice, we take deductive systems as acting over the terms of some term 
algebra. More precisely, assume a fixed finite signature S = (/i, . . . , f n ), where each fi is an 
operation symbol, with arity r^. Operation symbols of arity are called constants. Assume a 
countable set Vars of variables. Define the term algebra Ts as the least set such that Vars C Tz, 
and for all / G S of arity n, and for all t±, . . . , t n € Ts, then /(ti, . . . , t n ) <G T%. Intuitively, Ts 
contains all the terms that can be built from the variables, constants, and operations in S. We say 
a term is a ground term if it contains no variables. Let T| be the set of ground terms in T^. A 
ground substitution p is a mapping from variables in Vars to ground terms. The application of a 
ground substitution p to a term t, written p(t), essentially consists of replacing every variable in t 
with the ground term corresponding to t in p. Clearly, the application of a ground substitution to a 
term yields a ground term. 

A Yj-deductive system D is a subset of p fin (Tz) x T^. (We write p(X) for the set of subsets of 
X, and p fin (X) for the set of finite subsets of X.) We often omit the signature £ when it is clear 
from context. A deduction rule ({ti, . . . , t n }, t) of D is typically written t\, . . . ,t n >t, and means 
that t can be immediately deduced from t±, . . . , t n . A deduction of t from a set T of terms is a 
sequence of ground terms ti,...,t n such that t n = t, and every ti is either 

(1) a term p(t'), for some ground substitution p and some term tf <G T; 

(2) a term p(t'), for some ground substitution p and some term t' for which there is a deduction 
rule t' ii: . . . ,t' ik > t' in D such that pfy. ) = U j for all j, and i\ , . . . , ij < i. 

We write T \~d t if there is a deduction from V to t via deduction rules in D. By definition, we have 
t \~d t for all terms t? 

We will mainly be concerned with deductive systems that are decidable, that is, for which the 
problem of deciding whether a deduction of t from T exists is decidable, for a term t and a finite set 

2 Our use of variables in deductive systems is purely for convenience. We could replace every deduction rule with 
the rules obtained by substituting ground terms for all the variables, and get a deductive system that can derive the same 
terms as the original one. 
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of terms F. Moreover, it should be clear from the definitions that deductive systems are monotonic. 
In other words, if F \~o t, then F' \~d t when F C F'. Finally, observe that we do not impose 
any restriction on the formation of terms. The whole theory we develop in this paper could take as 
a starting point the notion of sorted term algebras [Higgins 1963], with little change; this would 
allow restrictions on terms to be imposed in a natural way. 

Example 2.1. We give a deductive system that captures the capabilities of the Dolev-Yao adversary 
described in the introduction. Define the following S-deductive system DY, with signature £ = 
(recv, has, encr, cone, inv), where recv(m) represents the fact that the adversary has received the 
term m, has(m) represents the fact that the adversary possesses the term m (i.e., is able to extract 
message m from the messages he has received), encr(m, k) represents the encryption of term m 
with key k, conc(mi, 1112) represents the concatenation of terms mi and m 2 , and inv(A;) represents 
the inverse of the key k: 

recv(m) i> has(m) 
has(inv(/c)), has(encr(m, k)) > has(m) 
has(conc(mi, m 2 )) > has(mi) 
has(conc(mi, m 2 )) > has(m 2 ). 

Assume further that £ contains constants such as m, ki, k 2 . We can derive: 

recv(encr(m, ki)), recv(encr(inv(ki), k 2 )), recv(inv(k 2 )) h DY has(m). 

In other words, it is possible for a Dolev-Yao adversary to derive the message m if he has received 
m encrypted under a key ki, the inverse of which he has received encrypted under a key k 2 , whose 
inverse he has received. 

To account for constructing new messages, consider the signature £' that extends £ with a unary 
constructor constr, where constr(m) represents the fact that the adversary can construct the term 
m. We can account for this new constructor by adding the following deduction rules to DY: 

has(m) > constr(m) 
constr(/c), constr(m) > constr(encr(m, k)) 
constr(mi), constr(m 2 ) > constr(conc(mi, m 2 )). 

For instance, we have 

recv(encr(m, ki)), recv(inv(ki)), recv(k 2 ) h DY constr(encr(m, k 2 )). 

□ 

In what sense can we use deductive systems to model explicit knowledge? Intuitively, the ele- 
ments of the term algebra represent facts, and the deduction rules of the system model the inferenc- 
ing capabilities of the agent — which facts can he deduce from other facts. This gloss raises another 
question, namely what to take as basic facts known to the agent without deduction, from which to 
initially start deriving other facts? Konolige [1986] calls these basic beliefs, and there are a number 
of approaches that can be followed. One approach is to simply posit a set of basic facts initially 
known to the agent (perhaps different basic facts are initially known at different states). This does 
not completely solve the problem, as it still requires determining which facts are initially known at 



5 



every state. We pursue a different approach here, consistent with many well-known descriptions in 
the literature: we take the basic beliefs of an agent to be his observations. Intuitively, an observation 
is a fact that the agent can readily determine by examining his local state. We distinguish observa- 
tions from other facts by using a unary constructor ob in the signature of the deductive systems we 
consider in subsequent sections. 

3 Deductive Algorithmic Knowledge 

We now introduce a prepositional modal logic for reasoning about the implicit and explicit knowl- 
edge of an agent, where the explicit knowledge is formalized as a deductive system. In this section, 
we focus on a single agent. We extend to multiple agents in Section 6. 

We define the logic £ KD (X), over a signature S. We take primitive propositions to be ground 
terms T| over the signature S. We use p to range over T|, to emphasize that they are primitive 
propositions, and distinguish them from terms over the more general signatures described later. The 
language of the logic is obtained by starting with primitive propositions in T| and closing off under 
negation, conjunction, the K operator, the X operator, and the Ob operator (applied to primitive 
propositions only). Intuitively, Kip is read as "the agent implicitly knows tp", Xip is read as "the 
agent explicitly knows ip, according to his deductive system", and Ob(p) is read as "the agent 
observes p". We define the usual abbreviations, ip V tp for -<(-«p A ->ip), and ip tp for -></? V tp. 
We define true as an abbreviation for an arbitrary but fixed prepositional tautology, and false as an 
abbreviation for ^true. 

To interpret the deductive algorithmic knowledge of an agent, we provide the agent with a de- 
ductive system in which to perform his deductions. As we discussed in last section, we want the 
agent to reason about observations he makes about his state; furthermore, because we will want to 
interpret formulas in C KD as terms over which the deductive system can reason (see the semantics of 
Xp below), we consider deductive systems defined over the signature £ extended with a set S KD of 
constructors corresponding to the operators in our logic, that is, S KD = {ob, true, false, not, and, know, xknow}, 
where true, false have arity 0, ob, not, know, xknow have arity 1, and and has arity 2. 

The semantics of the logic follows the standard possible-worlds presentation for modal logics of 
knowledge [Hintikka 1962]. A deductive algorithmic knowledge structure is a tuple M = (S, it, D), 
where S is a set of states, it is an interpretation for the primitive propositions, and D is a £ U E KD - 
deductive system. Every state s in S is of the form (e, O), where e captures the general state of 
the system, and O is a finite set of observations. Each observation in O is a primitive proposition, 
representing the observations that the agent has made at that state. 3 The details of the states are es- 
sentially irrelevant, as they are only used as a way to interpret the truth of the primitive propositions. 
We do not model how agent makes observations, or temporal relationships between states. A state 
simply represents a snapshot of the system under consideration. The interpretation it associates 
with every state the set of primitive propositions that are true at that state, so that for every primitive 
proposition p G T|, we have -ir(s)(p) € {true, false}. 

3 For simplicity, we assume that the observations form a set. This implies that repetition of observations and their order 
is unimportant. We can easily model the case where the observations form a sequence, at the cost of complicating the 
presentation. We also assume, again for simplicity, that there are only finitely many observations at every state. Allowing 
infinitely many observations does not affect anything in this section; we conjecture that the results in subsequent sections 
also hold when infinitely many observations per state are allowed. 
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We make a distinction between a fact, represented by a primitive proposition p, and an obser- 
vation of that fact, represented by the formula Ob(p). For instance, the fact that Alice holds an 
apple might be represented by the primitive proposition holds(alice, apple), which can be true or 
not at a state, while the fact that the agent has observed that Alice is holding an apple is represented 
by the formula (96(holds(alice, apple)), which is true if and only if that observation is in the state 
of the agent. It is not necessarily the case that if Ob (p) holds at a state then p holds at that state. 
We therefore consider it possible that the agent makes unreliable observations. We can of course 
assume that observations are reliable by imposing a restriction on the interpretation n, by taking 
7r((e, 0))(p) = true whenever pgO. More generally, we can impose restrictions on the models 
considered, such as observations being restricted to a specific subset of the primitive propositions, 
and so on. 4 

Example 3.1. Models are representations of situations we want to analyze, for instance, by verify- 
ing that a situation satisfies a certain property. Suppose we wanted to specify the knowledge of a 
Dolev-Yao adversary, as mentioned in the introduction, in the context where there are principals ex- 
changing messages according to a protocol. The deductive system used by the adversary is a slight 
extension of the deductive system DY from Example 2.1, extended to deal with observations. The 
security literature generally assumes a subterm relation on the messages exchanged by the protocol; 
define C on T^ Y as the smallest relation satisfying 

t C t 

if t C t\ then t C conc(ti,t2) 
if t C t2 then t C conc(ii, £2) 
if t C t\ then t C encr(ii, £2)- 

(See Abadi and Rogaway [2000] for motivations.) Consider a structure M = (S, it, DY'), where 
we record at every state all messages intercepted by the adversary at that state. We restrict the 
observations at a state to be of the form recv(i), for ground terms t in which has does not occur. 
The deductive system DY' is just DY extended with a rule making observations available to the 
deductive system: 

ob(recv(t)) > recv(i). 

The interpretation it is defined so that 7r((e, 0))(has(i)) = true if and only if there exists a term 
t' € T® Y such that recv(i') € O and t C t'. In other words, has(t) holds at a state if t is a subterm 
of a message intercepted by the adversary. For instance, we can have s\ be a state with observations 

{recv(encr(m, ki)), recv(encr(inv(ki), k2))}, 

and S2 a state with observations 

{recv(encr(m, ki)), recv(encr(inv(ki), k2)), recv(inv(k2))}. 

These states represent states where the adversary has intercepted particular messages. We shall see 
how to specify properties of M, such as the fact the adversary does not explicitly know at s± that he 
possesses m, despite 7r(si)(has(m)) = true. □ 

4 We can also impose restrictions on deductive systems and signatures. In a preliminary version of this paper [Pucella 
2004], for instance, we distinguished the notion of a primitive signature, which does not provide constructors for the 
propositional and modal connectives. A deductive system based on a primitive signature only permits reasoning about 
explicit knowledge of primitive propositions. 
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Let M.{Tf) be the set of all deductive algorithmic knowledge structures using £ U £ KD -deductive 
systems. For a fixed S U £ KD -deductive system D, let Md(E) be the set of all deductive algorith- 
mic knowledge structures using deductive system D. 

We define what it means for a formula ip to be true at a state s of M, written (M, s) \= p, 
inductively as follows. For the prepositional fragment of the logic, the rules are straightforward. 

(M, s) \= p if 7r(s)(p) = true 

(M, S )\=^H(M,s)^ip 

(M,s) \= ip A ip if (M, s) |= cp and (M, s) |= ip. 

To define the semantics of knowledge, we follow the standard approach due to Hintikka [1962]. 
We define a relation on the states that captures the states that the agent cannot distinguish based on 
the observations. Let s ~ s f if and only if s = (e, O) and s' = (e',0) for some e,e', and set of 
observations O. Clearly, ~ is an equivalence relation on the states. 

(M, s) \= Kip if (M, a') |= for all s' ~ s. 

To define the semantics of the X operator, we need to invoke the deductive system. To do this, 
we first define the translation of a formula ip of £ KD (S) into a term p T of the term algebra, in the 
completely obvious way: p is p for any primitive proposition p (recall that primitive propositions 
are just terms in T|), (^p) T is not(p T ), (p A ip) T is and(y? T , ip T ), (Kp) T is kno\N(p T ), (X(p) T 
is xknow(p T ), and (Ob(p)) T is simply ob(p). 

(M,s) ^X^if s = (e,0) and{ob(p) | p G 0} h D (^ T . 

The monotonicity of the deductive systems means that for a structure M with states s = (e, O), 
s' = {e',0'), and O C C, we have (M,s) |= X99 implies (M,s') \= X<p. Thus, explicit 
knowledge of facts is never lost when new observations are made. Finally, we interpret Ob(p) by 
checking whether p is one of the observations made by the agent: 

(M, s) \= Ob{p) if s = (e, O) and p G O. 

As usual, we say a formula tp is vaZ/J in M if (M, s) |= tp for all s E S, and satisfiable in M if 
(M, s) |= </5 for some s G 5. If is a set of models, we say a formula p is vaZ/ci Zra Al if p is valid 
in every M G A4, and satisfiable in M. if 99 is satisfiable in some M G M.. A formula 99 in £ KD (£) 
is vaZ/J if it is valid in Ai(T,), and satisfiable if it is satisfiable in 

Example 3.2. Consider Example 3.1. By definition of ir, (M, si) |= If (has(m)) and (M, S2) |= 
K(has(m)), so that at both states, the adversary implicitly knows he possesses message m. How- 
ever, from the results of Example 2.1, we see that (M, S2) \= A A (has(m)), while [M,s\) |= 
-iX(has(m)). In other words, the adversary explicitly knows he possesses m at state S2 (where 
he has intercepted the appropriate terms), but not at state si. □ 

Example 3.3. The following deduction rules can be added to any deductive system to obtain a 
deductive system that captures a subset of the inferences that can be performed in prepositional 
logic: 

ionot(not(i)) not(and(t, not(t'))), t > t' and(t,t')>t' 

not(not(t)) >t not(and(t, not(t'))), not(t') > not(t) t, not(t) > false 

t > not(and(not(i), not(t'))) t, t' > and(t, if) false 
if > not(and(not(t), not(t'))) and(t, if) > t. 



8 



One advantage of these rules, despite the fact that they are incomplete, is that they can be used to 
perform very efficient (linear-time, in fact) prepositional inference [McAllester 1993]. □ 

Example 3.4. We can easily let the agent explicitly reason about his deductive algorithmic knowl- 
edge by adding a rule 

i [> xknow(i) (1) 

to his deductive system D. Thus, if M is a deductive algorithmic knowledge structure over D, and 
(M,s) \= X(p, then we have s = (e,0), with O he ip T , and by the above rule, the deductive 
system D can also derive O \~d xknow(ip T ), so that O hp {Xip) T . Thus, (M, s) \= X(Xip), as 
required. It is possible to restrict the deductive algorithmic knowledge of an agent with respect to 
his own deductive algorithmic knowledge by suitably modifying rule (1), restricting it to apply only 
to a subset of the terms. □ 

There is a subtlety involved in any logic with a modal operator that we wish not to be subject 
to logical omniscience. Intuitively, such a logic forces one to be quite aware of what symbols are 
defined by abbreviation, and which are not. Earlier in this section, we defined true, false, V, and =>■ 
by abbreviation, which means that any formula containing V or is really a formula containing A 
and -i. Thus, the agent cannot explicitly distinguish between ipV ip and -i(-np A ->ip); they are the 
same formula in the logic, and the validity |= X(ip V ijj) -£4> X(-i(-xp A -| Y>)) simply reflects this 
identity. Such a result seems to go against the main motivation for explicit knowledge, to ensure that 
knowledge is not closed under tautologies. Part of the problem here is simply that defining operators 
by abbreviation introduces inescapable equivalences. An easy way to circumvent this problem is to 
use a syntax that directly uses V, =>, and perhaps other connectives, rather than introducing them 
through abbreviations. We would then add similar constructors to the signature S KD , and extend 
the translation ip T accordingly. This gives full control on which tautologies are validated by explicit 
knowledge, and which are not. 

Finally, it is worth pointing out the relationship between our framework and Konolige's [1986]. 
Roughly speaking, Konolige's framework corresponds to the deductive systems we described in the 
last section — it supplies a logical theory for the reasoning of an agent (albeit, in Konolige's case, 
a first-order logical theory). The logic in this section may be used to reason about the knowledge 
of agents who reason using Konolige's logical theories. In this sense, our logic is compatible with 
Konolige's framework. More interestingly, our framework semantically grounds the basic beliefs 
assumed by Konolige's framework: basic beliefs correspond to observations, which can be reasoned 
about independently of the belief of the agents. 

4 Axiomatizations 

In this section, we present a sound and complete axiomatization for reasoning about explicit knowl- 
edge given by a deductive system. Recall that a formula / is provable in an axiomatization if / can 
be proved using the axioms and rules of inference of the axiomatization. An axiomatization is sound 
with respect to a class M of structures if every formula provable in the axiomatization is valid in 
M; an axiomatization is complete with respect to M. if every formula valid in M is provable in the 
axiomatization. 

Clearly, for a fixed deductive system, the properties of X depend on that deductive system. In- 
tuitively, we should be able to read off the properties of X from the deduction rules themselves. 
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This is hardly surprising. Properties of the knowledge algorithms in the framework of algorith- 
mic knowledge immediately translate to properties of the X operator. To adapt an example from 
Halpern, Moses, and Vardi [1994], if a knowledge algorithm is sound, that is, it says the agent 
explicitly knows ip in a state if and only if ip is true at that state, then Xp =4> p is valid in any struc- 
ture using such a knowledge algorithm. What is interesting in the context of deductive algorithmic 
knowledge is that we can completely characterize the properties of X by taking advantage of the 
structure of the deductive systems. The remainder of this section makes this statement precise. 

As a first step, we introduce an axiomatization for reasoning about deductive systems in gen- 
eral, independently of the actual deduction rules of the system. This will form the basis of later 
axiomatizations. First, we need axioms and inference rules capturing propositional reasoning in the 
logic: 

Taut. All instances of propositional tautologies. 
MP. From ip and ip => ip infer ip. 

Axiom Taut can be replaced by an axiomatization of propositional tautologies [Enderton 1972]. The 
following well-known axioms and inference rules capture the properties of the knowledge operator 
[Hintikka 1962]: 

Kl. (Kp A K(p => ip)) Kip. 
K2. From p infer Kip. 
K3. Kip p. 
K4. Kp => KKp. 
K5. ->K(p => K^Kp. 

We now turn to deductive algorithmic knowledge. Not surprisingly, Xp does not satisfy many 
properties, because no assumptions were made about the deductive systems. Deductive algorithmic 
knowledge is interpreted with respect to the observations at the current state, and two states are 
indistinguishable to an agent if the same observations are made at both states; therefore, agents 
know whether or not they explicitly know a fact. This is captured by the following axiom: 

XI. Xp => KXp. 

In the presence of K1-K5, it is an easy exercise to check that -<Xp => K-<Xp is provable from XI. 
In addition, all observations are explicitly known. This fact is expressed by the following axiom: 

X2. Ob(p) XOb{p). 

Axiom X2 just formalizes the following property of deduction as defined in Section 2: for all terms t 
of a deductive system D, we have t \~d t. Finally, we need to capture the fact that indistinguishable 
states have exactly the same observations: 

X3. Ob(p) KOb{p). 

It is easy to see that the formula ^Ob(p) =4* K^Ob(p) is provable from X3 in the presence of 
K1-K5. 

Let AX consist of the axioms Taut, MP, K1-K5, and X1-X3. Without further assumptions on 
the deductive systems under consideration, AX completely characterizes reasoning about deductive 
algorithmic knowledge. 
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Theorem 4.1. The axiomatization AX is sound and complete for £ KD (£) with respect to At (£). 
Proof. See Appendix A. □ 



If we want to reason about deductive algorithmic knowledge structures equipped with a specific 
deductive system, we can say more. We can essentially capture reasoning with respect to the specific 
deductive system within our logic. The basic idea is to translate deduction rules of the deductive 
system into formulas of £ KD (E). A deduction rule of the form t±, . . . , t n > t in D is translated to 
a formula (Xt R A ... A Xt R ) =>■ Xt R , with the understanding that an empty conjunction is just 
true. We define the formula t R corresponding to the term t by induction on the structure of t: 
true R is true, h\se R is false, (not(t)) R is ^(t R ), (and(t 1 ,t 2 )) R is if A if, (know(i)) R is K(t R ), 
(xknow(t)) i? is X(t R ), {ob(t)) R is Ob(t R ) (if t G T|), and t R is t for all other terms t. We view 
the result of the translation as an axiom scheme, where the variables in ii, . . . , t n , t act as schema 
metavariables, to be replaced by appropriate elements of the term algebra. 5 It is easy to see that 
(t T ) R = t for all terms t. Furthermore, we do not translate constructors in S KD that appear under 
constructors in £ within a term. (Intuitively, these constructors will never arise out of the translation 
of formulas given in Section 3.) Let AX D be the set of axioms derived in this way for the X U E KD - 
deductive system D. 

A simple argument shows that the axiomatization AX augmented with axioms AX D is not 
complete for M £>(£,), since there are formulas of the form Xip that cannot be true in any structure 
in .M namely, Xip where ip T is not derivable from any set of observations using the deductive 
system D. Thus, ^Xip is valid for those ip, but the axioms above clearly cannot prove -<Xip. In 
other words, the axioms in AX D capture deducibility in ho, but not nondeducibility. We can 
however establish completeness with respect to a more general class of structures, intuitively, those 
structures using a deductive system containing at least the deduction rules in D. Let _M_dc(X) be 
the class of all structures M such that there exists D' with D C D' and M G Md' ■ 

Theorem 4.2. The axiomatization AX augmented with axioms AX D is sound and complete for 
C KD (T,) with respect to A4 D c(S). 

Proof. See Appendix A. □ 

If we are willing to restrict the formulas to consider, we can get completeness with respect to 
A / Jd(S). This follows directly from the intuition that the axiomatization can prove all deductions 
in D but not the nondeductions. First, a few definitions: a top-level occurrence of a deductive 
algorithmic knowledge subformula Xi[) in tp is an occurrence that does not occur in the scope of an 
X operator. An occurrence of a subformula ip is said to be positive if it occurs in the scope of an 
even number of negations. 

Theorem 4.3. Let cp be a formula of £ KD (£) in which every top-level occurrence of a subformula 
Xip is positive; then (p is valid in M.d{TP) if and only if p is provable in the axiomatization AX 
augmented with axioms AX D . 

Proof. See Appendix A. □ 

In particular, Theorem 4.3 implies that a formula of the form Xp is valid in M. D (YP) if and only 
if X tp is provable in the axiomatization AX augmented with axioms AX D . 

5 One needs to be careful when defining this kind of axiom schema formally. Intuitively, an axiom schema of the 
above form, with metavariables appearing in terms, corresponds to the set of axioms where each primitive proposition in 
the axiom is a ground substitution instance of the appropriate term in the axiom schema. 
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5 Decision Procedures 



In this section, we study the decision problem for £ KD (£), that is, the problem of determining, 
for a given formula, whether it is satisfiable. Again, we emphasize that we are considering only a 
single agent here; allowing multiple agents changes the complexity, as we shall see in Section 6. 
Since £ KD (£) logic extends the logic of knowledge where the knowledge operator is interpreted 
over an equivalence relation (in our case, the relation ~ saying that two states contain the same ob- 
servations), and since the complexity of the decision problem for the latter is NP-complete [Ladner 
1977], the difficulty of deciding satisfiability for £ KD (X!) is at least as hard. We can use the fact that 
there is a tight relationship between these logics to get our complexity results. 

We measure complexity in terms of the size of the formulas. Define the size |£| of a term t to 
be the number of symbols required to write t, where each operation symbol is counted as a single 
symbol. If T is a finite set of terms, then |r| is just the sum of the sizes of the terms in T. Similarly, 
the size \tp\ of a formula is defined to be the number of symbols required to write tp, where again 
each operation symbol is counted as a single symbol. 

We can now state our complexity results. It turns out that adding a deductive algorithmic knowl- 
edge operator to the logic of knowledge over an equivalence relation does not change the complexity 
of the decision problem. Deciding satisfiability of a formula of £ KD (£) is essentially the same as 
deciding satisfiability of a formula in the logic of knowledge over an equivalence relation, with the 
difference that to account for deductive algorithmic knowledge, we need to construct a deductive 
system with specific deduction rules that suffice to satisfy the subformulas Xp appearing in the 
formula. 

Theorem 5.1. The problem of deciding whether a formula (p of £ KD (E) is satisfiable in is 
NP-complete. 

Proof. See Appendix B. □ 

What happens if we fix a specific deductive system, and want to establish whether a formula 
ip is satisfiable in a structure over that deductive system? The difficulty of this problem depends 
intrinsically on the difficulty of deciding whether a deduction r ho t exists in D. Since this 
problem may be arbitrarily difficult for certain deductive systems D, reasoning in our logic can 
be arbitrarily difficult over those deductive systems. The logic £ KD (E) includes the propositional 
connectives, which gives us an easy lower bound. 

Theorem 5.2. For any given £ U S KD -deductive system D, the problem of deciding whether a 
formula p> of X KD (£) is satisfiable in A^d(S) is NP-hard. 

Proof. See Appendix B. □ 

On the other hand, if the deductive system is decidable in nondeterministic polynomial time 
(i.e., if the problem of deciding whether a deduction T \~d t exists in D can be solved by a non- 
deterministic Turing machine in time polynomial in |T| and \t\), then the decision problem for £ KD 
remains relatively easy, at least with respect to models of a reasonable size. More precisely, let 
_M£,(X) be the class of all deductive algorithmic knowledge structures using deductive system D, 
where the number of observations at every state is at most n. 
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Theorem 5.3. For any given £ U S KD -deductive system D that is decidable in nondeterministic 
polynomial time and for any polynomial P{x), the problem of deciding whether a formula (p of 
£ KD (£) is satisfiable in M$ M \e) is NP-complete. 

Proof. See Appendix B. □ 

There is a class of deductive systems that can be efficiently decided (i.e., in polynomial time) 
and thus by Theorem 5.3 lead to a reasonable complexity for £ KD (£) interpreted over those systems. 
Call a deduction local in a deductive system D if every proper subterm of a term in the deduction 
is either a proper subterm of t, a proper subterm of a member of T, or appears as a subterm of a 
deduction rule in D. For any deductive system D, whether a local deduction of t from V exists can 
be decided in time polynomial in |T| and \t\. A deductive system D is local if whenever T \~r> t there 
exists a local deduction of t from F [McAllester 1993]. Thus, if D is a local deductive system, the 
existence of a deduction ensures the existence of a local deduction, and consequently the deduction 
relation \-£> is polynomial-time decidable. The deductive system in Example 2.1 is local, while 
adding the deduction rules in Example 3.3 to any local deductive system yields a local deductive 
system. 

Theorem 5.4. For any local £ U S KD -deductive system D and for any polynomial P(x), the prob- 
lem of deciding whether a formula if of £ KD (£) is satisfiable in M^^\t,) is NP-complete. 

Proof. Immediate from the property of local deductive system, and from Theorem 5.3. □ 



6 Reasoning about Multiple Agents 

The framework we have described extends to multiple agents in a straightforward way. This exten- 
sion is similar to the extension of modal logics of knowledge to multiple agents [Fagin, Halpern, 
Moses, and Vardi 1995]. The only addition is that we need to equip every agent with a deductive 
system. 

Suppose a group of agents, named 1, . . . , n for simplicity. We define the logic £™(E) as we 
did £ KD (£), except that the operators K{, Xi, and Obi are indexed by an agent. A priori, there 
is no difficulty in giving a semantics to this logic as we have done in Section 3. Unfortunately, 
this does not let an agent explicitly reason about another agent's knowledge. In order to do this, 
we need to modify and extend the framework. As before, we consider deductive systems over 
a signature £ extended with a set £™ of constructors given by £™ = {true, false, not, and} U 
|J" =1 {obj, knowj, xknowj}, where true, false have arity 0, obj, not, knowj, xknowj have arity 1, and 
and has arity 2. 

A deductive algorithmic knowledge structure with n agents is a tuple M = (S, ir, D\ , . . . , D n ), 
where S is a set of states, ir is an interpretation for the primitive propositions, and D, L is a £ U S™- 
deductive system. Every state s in S is of the form (e,0\,. . . , O n ), where e captures the general 
state of the system, and Oi is a finite set of observations from T|, representing the observations that 
agent i has made at that state. The interpretation it associates with every state the set of primitive 
propositions true at that state, so that for all primitive proposition p G T|, we have ir(s)(p) G 
{true, false}. 

Let M. n (T,) be the set of all deductive algorithmic knowledge structures using £ U £™-deductive 
systems for each agent. For fixed £ U S™ -deductive systems Di,...,D n , let Md 1 ,...,d„(^') 
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be the set of all deductive algorithmic knowledge structures for n agents with deductive systems 
D n (i.e., agent i uses deductive system Di). 
The remaining definitions generalize in a similar way. We define, for each agent, a relation on 
the states that captures the states that the agent cannot distinguish, based on his observations. More 
precisely, let s ~j s' if and only s = (e, 0±, . . . , O n ) and s' = (e', 0[, . . . , 0' n ), for some e, e' and 
sets of observations Oi, . . . , O n , 0[ , . . . , 0' n with Oi = 0\. Again, ~, is an equivalence relation 
on the states. 

The translation of a formula ip into a term ip T of the deductive system now takes into account 
the name of the agents. As expected, p T is p for any primitive proposition p, (~^p) T is not(p T ), 
(ip f\ip) T is and(p T , ip T ), (Ki(p) T is knowj(</? T ), (Xi(p) T is xknowj((,o T ), and (Obi(p)) T is obj(p). 

The semantics is just like that of Section 3, except with the following rules for K^ip, X^ip, and 
Obi(p): 

(M, s) \= K t (p if (M, s') \= p for all s' ~< s 

(M, s) \= Xi<p if s = (e, Oi, . . . , O n ) and {obj(p) | p G h A 

(M,s) |= 06i(p) ifa = (e,Oi,...,O n )andp€Oi. 

Example 6.1. Kaplan and Schubert [2000] study a phenomenon they call simulative inference 
where, roughly speaking, an agent can reconstruct the reasoning of another agent. We can cap- 
ture this phenomenon by making suitable assumptions on an agent's deductive system. (Kaplan 
and Schubert work in a different setting — they assume that the inference engine is explicitly told 
formulas, and thus work in a setting similar to that of belief revision [Alchourron, Gardenfors, and 
Makinson 1985].) Say that a deductive system for agent % permits simulative inference of agent 
j with Dj if Di contains a rule otx, (i) > xknowj (obj (t) ) , and for every rule t\ , . . . , > t of Dj, there 
is a corresponding rule xknovv, (ii), . . . , xknowj(tfc) o xknowj(t) in D^. It is then easy to check 
that if we have (M, s) \= Xjip for some state s = (e, 0±, . . . , O n ) with {pi, . . . ,pk} C Oj, and 
(M, s) \= XiObj(pi) A • • • AXiObjipk), then (M, s) \= XiXjip. Note that this derivation assumes 
that the agent i can explicitly determine that agent j has observed pi, . . . ,pk- □ 

As far as axiomatizations are concerned, we can essentially lift the results of Section 4. It suf- 
fices to consider an axiomatization where K1-K5 now refer to Ki rather than just K. For instance, 
Kl becomes K^p A Ki(ip =>• ip) => K^ip, for every agent i. In a similar way, the axiom XI simply 
becomes Xnp KiXip. For X2 and X3, we need to further restrict the observations to be those 
of the agent under consideration: Obi(p) XiObi(p), and Obi(p) =>■ KiObi(p). Let AX n be the 
resulting axiomatization. 

Theorem 6.2. The axiomatization AX n is sound and complete for with respect to A4 n (Y<). 

Proof. See Appendix C. □ 

As in the single agent case, we can capture the reasoning with respect to specific deductive 
systems (one per agent) within our logic. Again, we translate deduction rules of the deductive 
systems into formulas of Consider the deductive system Di for agent i. A deduction 

rule of the form t\, . . . , t n > t in Dj is translated to a formula (Xitf A ... A X^) Xit R . We 
define the formula t R corresponding to the term t by induction on the structure of t: true R is true, 
false 72 is false, (not(t)) R is ->{t R ), (and(ti, t 2 )) R is tf M R , (know i(t)) R is Ki(t R ), (xknow^t))^ 
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is Xi(t R ), (obi(t)) R is Obi(t R ) (if t £ T|), and t R is t for all other terms t. (As in Section 4, 
such a translation yields an axiom schema, where we view the variables in t\, . . . , t n , t as schema 
metavariables, to be replaced by appropriate elements of the term algebra.) Let AX^ be the set of 
axioms derived in this way for the deductive system Di of agent i. 

As in the single agent case, we cannot capture exactly the reasoning in structures where agent i 
is using deductive system Di, since we cannot capture nondeducibility within the logic. Therefore, 
completeness is established with respect to a larger class of structures. Let Md 1 ,...,d„c{^) be the 
class of all structures M such that there exists D[ , . . . , D' n with D\ C D[ , . . . , D n C D' n and 
MeM D ' D > ■ 

LJ \i---i L -'n 

Theorem 6.3. The axiomatization AX ra augmented with axioms AX^ 1 , . . . , AX^ n is sound and 
complete for £™(£) with respect to .M_Di,...,D n c(X!). 

Proof. See Appendix C. □ 

The complexity of the decision problem in the case of multiple agents reflects the complexity 
of the decision problem for the modal logic of knowledge with multiple agents. The logic 
extends the logic of knowledge over equivalence relations for n agents, and it is known that the 
decision problem for that logic is PSPACE-complete [Halpern and Moses 1992]. As in the single 
agent case, adding deductive algorithmic knowledge does not affect the complexity of the decision 
problem with respect to arbitrary deductive systems. 

Theorem 6.4. If n > 2, the problem of deciding whether a formula ip of £™(E) is satisfiable in 
M n {Y>) is PSPACE-complete. 

Proof. See Appendix C. □ 

There is no clear candidate for an equivalent of Theorem 5.3 in the multiple agents context. 
Assuming every agent uses a tractable deductive system yields an easy EXPTIME upper bound on 
the decision problem for while the best lower bound we obtain is the same as the one in 

Theorem 6.4, that is, the problem is PSPACE-hard. 



7 Conclusion 

We have described in this paper an approach to combining implicit knowledge interpreted over pos- 
sible worlds with a notion of explicit knowledge based on a deductive system that allows agents 
to derive what they explicitly know. This additional structure, the agent's deductive system, can be 
used to completely characterize the properties of the explicit knowledge operator. More specifically, 
we can derive sound and complete axiomatizations for the logic in a uniform way. There are many 
approaches to modeling explicit knowledge in the literature, with many different philosophical in- 
tuitions and interpretations. The model in this paper is based on a conception of explicit knowledge 
(viz., obtained from inference rules) that goes back at least to Konolige [1986], and aims at cap- 
turing a particularly computational interpretation of explicit knowledge based on observations. We 
remark that our model is consistent with a number of epistemological theories [Pollock and Cruz 
1999] that argue that all knowledge is ultimately derived from observations. 

While the framework extends to multiple agents in a straightforward way, there are many issues 
that still remain to be addressed at that level. For instance, a natural question is what happens when 
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we move to more dynamic models, where the observations are taken over time. There are interesting 
issues that arise, especially when we assume that agents do not share a clock to synchronize their 
observations. We hope to explore this extension in future work. 

What is our framework good for? Because deductive algorithmic knowledge is a special case 
of algorithmic knowledge, any situation that can be modeled in our framework can also be modeled 
in the original algorithmic knowledge framework. The one advantage of our logic, however, is 
that it admits sound and complete axiomatizations derivable directly from the deductive systems. 
Therefore, we can devise useful proof systems for interesting classes of applications, corresponding 
to different deductive systems. 

The framework in this paper sheds light on the epistemic content of deductive systems, in that we 
provide a logic in which we can reason about implicit knowledge and explicit knowledge derived 
from a deductive system. An interesting question is whether this approach can shed light on the 
epistemic content of probabilistic deductive systems, of the kind found in the recent probabilistic 
deductive database literature [Lukasiewicz 1999; Lakshmanan and Sadri 2001]. Presumably, the 
ideas developed by Halpern and Pucella [2005] may be applicable in this setting. 
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A Proofs for Section 4 

The proof of soundness and completeness in Section 4 rely on fairly standard canonical model 
constructions [Hughes and Cresswell 1996]. We review the required notions here, for completeness. 
A canonical model is a model whose states are consistent sets of formulas, with the property that 
valid formulas of the logic are true at states of the canonical model. Recall that a formula p is 
consistent (with respect to an axiomatization AX) if -></? is not provable from AX. A finite set of 
formulas {ip±, . . . , p n } is consistent if and only if ip± A ■ ■ ■ A <p n is consistent. An infinite set F 
of formulas is consistent if and only if every finite subset of F is consistent. A set of formulas 
is maximally consistent if it is not properly contained in any other consistent set of formulas. We 
assume some familiarity with properties of maximally consistent sets of formulas. Such properties 
include, for V a maximally consistent set of formulas: for all ip, exactly one of p or -up is in V; p 
and ip are both in V if and only if ip A ip is in V; if p and p => ip are in V, then ip is in V; every 
provable formula is in V (in particular, every axiom of AX is in V). 

Some definitions will be useful. First, given a set V of formulas, let V/K = {p \ Kp G V}. 
Let C be the set of all maximal consistent sets of formulas of £ KD (£). For V G C, let V j Ob = {p € 
T| | Ob{p) G V}. Define the relation « over C by taking V « U if and only if V/K C U. 

Lemma A.l. (1) « is an equivalence relation on C. 

(2) IfV ^U, then Vj Ob = U/Ob. 
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(3) For all ip in £ KD (£), ifVmU, then Xip G V if and only if Xip G U. 

Proof. (1) The proof that « is an equivalence relation is completely standard, and relies on the 
axioms K1-K5 [Hughes and Cresswell 1996]. 

(2) Let p G V I Ob C V . Since V is maximally consistent, all instances of X3 are in V, and thus 
Ob(p) => KOb(p) is in V, so by MP, KOb(p) G V, and thus 06(p) G V/lf C 17. Therefore, 

G [7, and V/ Ob C [7/ 06. Since « is an equivalence relation, V ~ f7 implies that f7 V, 
and by the same argument, we get U/ Ob C V/ (96. 

(3) This follows easily from XI. Assume Xip G V. Then 7CA> G V by XI, and thus Xip G 
V/ iv", and since V ~ ?7, G ?7. The converse direction follows from the fact that ss is symmetric. 



Theorem 4.1. 77ie axiomatization AX is sound and complete for £ KD (X) wiYA respect to 

Proof. Proving soundness is straightforward. For completeness, we prove the equivalent statement 
that if (p is consistent (i.e., -xp is not provable from the axiomatization AX), then ip is satisfiable 
in some structure in The satisfying structure will be constructed from the set of maximally 

consistent formulas. 

Let ip be a consistent formula of £ KD (E), and let Sub(p) be the set of subformulas of ip (in- 
cluding p itself). Since p is consistent, there is a set G C with p> G with IV^/ 06| < oo: 
first construct a set V starting with p, adding Ob(p) for every observation Ob(p) appearing in tp if 
Ob(p) Apis consistent, and adding ->Ob(p) for every observation Ob(p) either not appearing in ip 
or inconsistent with p; it easy to establish that V is consistent, so V is extensible to a maximally 
consistent set with \Vf / Ob\ < oo. 

Let O v = Vf/Ob. Let [Vf]^ be the ^-equivalence class that contains V v . We will use the 
sets of formulas [Vf]~ as states of our structure. More specifically, define the deductive algorithmic 
knowledge structure Mf = (S*, vr^, Df) by taking: 



To simplify the discussion, and because Of is fixed in Mf, we refer to the state (sy, Of) as simply 
sy; for instance, we freely write sy G Sf. We can check that D v defines a £ U S KD -deductive 
system. Decidability of D v holds trivially, since D v contains finitely many deduction rules, as 
Sub(p) is finite. Thus, M v is a deductive algorithmic knowledge structure. 

We now show that for all sy G Sf and all subformulas ip G Sub(p), we have (Mf, sy) \= ip 
if and only if ip G V, by induction on the structure of formulas. The cases for true, false, primitive 
propositions, conjunction, and negation are straightforward, using maximal consistency of V. 

For Ob(p), first assume that (M v , sy) \= Ob(p). This means that p G Of, so p G Vf/Ob, 
and since Vf / Ob = V/Ob, p G V/Ob, and thus Ob(p) G F. Conversely, if Ob(p) G V, then 
p G Vj Ob = Vf/Ob, so that p G 0*\ and thus (Mf, sy) (= 06(p). 

Now, consider a deductive algorithmic knowledge formula Xip. First, assume that we have 
(Mf,s v ) \= Xip. By definition, {ob(p) | p G C^} h D¥ > V T - If ^ is Ob(p) for some p G Of, 
then (M 1 ^, sy) |= Ob(p), and thus Ofe(p) G V by the induction hypothesis; by X2, XOb(p) G V. 



□ 



SV = {( SVj oip) |y G [V^} 




D* = {(0,ip T ) | G Sub(p),XiP G V^}. 
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Otherwise, by construction of D v , there must exist a rule >ip T in . In other words, Xip G V 9 . 
Since V V v by choice of S^, we get A?/> G F, following Lemma A.l. Conversely, assume that 
Xip G V. By definition of Df, (0, ip T ) G D*', and thus {ob(p) | p G O^} h D¥ > ip T , meaning that 

(Mf,s v ) \= Xip. 

For a knowledge formula Kip, the result follows from essentially the same proof as that of 
Halpern and Moses [1992]. We give it here for completeness. First, assume (M v , sy) \= Kip. It 
follows that (V/K) U {-<ip} is not consistent. (Otherwise, it would be contained in some maximal 
consistent set U in C, and by construction, we would have V/K C U, and thus V ~ U, and 
hence sy ~ sjj; but since we have -iip G £7, we have if) £ U, and by the induction hypothesis, 
(M^,su) y= ip, contradicting (Mf,sv) \= Kip.) Since (V/K) U {->if)} is not consistent, there 
must be some finite subset {(p±, . . . ,ipk, ->ip} which is not consistent. By prepositional reasoning, 
we can derive that tpi =4* (992 =>(...=> (<Pk =^ ip) ■ ■ ■)) is provable, and thus K(ipi =4* (992 => 
(...=> (99^ =4> V) • • • ))) i s provable by K2. It is straightforward to derive from this by induction, 
prepositional reasoning, and Kl, that Ktpi =4* (K^>2 =>(■■■=> [K^pk => Kip) . . . )) is provable. 
Thus, K(pi => (K<p 2 => (■■■ => (K(p k => Kip) . . .)) G V. Because <pi,...,<pk G V/K, we 
have K(pi, . . . ,Kifk G V, and by repeated applications of MP, we have Kip G V, as desired. 
Conversely, if we assume Kip G V, then ip G V/K. Let su be an arbitrary state of S v . By 
construction of M v , V « £/ and thus V/K C U. Therefore, we have ip & U, and by the induction 
hypothesis, (M 1 ^, S{/) |= Since S[/ was arbitrary, and since su ~ sy (immediate by the definition 
of S"0, this means that (M v , s y ) |= iv"V- 

Completeness of AX now follows immediately. Since ip £ V v and 99 G Sub(ip), we have 
(M 1 ^, syp) \= <p, and thus 99 is satisfiable. □ 

Theorem 4.2. 77je axiomatization AX augmented with axioms AX D is sound and complete for 
£ KD (£) w/f/i respect to A4dc(S). 

Proo/ Soundness is again straightforward. For completeness, we prove the equivalent statement 
that if 99 is consistent (i.e., if ^99 is not provable from the axiomatization AX augmented with the 
axioms XX D ) then 99 is satisfiable in some structure in .M £>(£). The procedure is exactly the one 
that is used to prove Theorem 4.1, except with a different deductive system D v . 

We simply indicate where the proof differs from that of Theorem 4.1, and let the reader fill 
in the details. We construct, for a given 99, a deductive algorithmic knowledge structure M v = 
(S^,^, D v ), where and tt^ are constructed as in Theorem 4.1, and is given by 

DU{(0,ip T ) | X1P G Sub((p),Xip G V^}. 

We can check that M v is a deductive algorithmic knowledge structure in A^dc(S). The deductive 
system D v has the following interesting property: if {ob(p) \ p G O^} \~r> ip T , then there is a 
rule >ip T in D v . In other words, every term ip T derivable from the rules in D is derivable directly 
with a single rule in D^. Here is the proof of this property. Assume {ob(p) | p G O^} \~d ip T ■ 
Clearly, it is sufficient to show that Xip G V v . If ip is Ob(p) for some p G O^, then Ob(p) G V*, 
so by X2, XOb(p) G Vf. Otherwise, there must exist a deduction ti,...,t m in D such that 
t m = ip T is a conclusion of the deduction. We show by induction on the length of the deduction 
that for every i, X(ti) R G V^. For the base case i = 1, we have two cases. If t\ is ob(£) 
for some t G O* 9 , then (h) R = Ob{t), and XOb{t) G V*> follows from X2 and the fact that 
i 6 C implies that Ob(t) G V v . If t\ follows from the application of a deduction rule in D, 
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with no antecedents, then by construction, there is an instance of this rule in V^, of the form 
true X(ti) R , and thus X(t\) R G V v . For the inductive case i > 1, again, there are two cases. 
If tj is ob(t) for some t G O v , then the result X(t\) R follows as in the base case. Otherwise, there 
is a rule t[, . . . ,t' k t> t' in D such that for some ground substitution p such that p(t') = t; L and for 
all j G l..k, p(t'j) appears in the deduction before term tj. By construction, there is an instance of 
X(t[) R A • • • A X(t' k ) R => X(t') R in V v , and by induction hypothesis, we have G 
for each ij < i. Thus, by MP, we have X{ti) R G V^. Since ip T = t m , the last element of the 
deduction, we get that X(ip T ) R = Xip is in V^, as desired. 

The rest of the proof follows as before. □ 

The following lemma is useful for proving Theorem 4.3. Roughly, it says that any formula can 
be written as an equivalent formula where all instances of the negation operator occurs before a 
primitive proposition, an observation formula, or an explicit knowledge formula. To simplify the 
presentation of the lemma, we write the resulting formula using operator V, as well as operator Lip, 
which is just an abbreviation for -iK-np. 

Lemma A. 2. Every formula ip of £ KD (£) is logically equivalent to a formula Tp written using p, 
—>p, Ob(p), ^Ob(p) (for primitive propositions p) and Xip and -^Xtp (for ip in £ KD (£)j, and the 
operators A, V, K, and L. Moreover, if every top-level occurrence of a subformula Xip is positive 
in tp, then no occurrence of Xip in Tp is in the scope of a negation. 

Proof. The first part of the lemma follows directly from the following laws, which permit one to 
move negations into a formula as far down as they go: 

-.fa A ^) V(-.^) 

^(Ktp) & Liptp) 
-"(->¥>) ^ <P- 

The second part of the lemma follows by observing that the laws above preserve the evenness or 
oddness of the number of negations under the scope of which each subformula Xip appears. □ 

Theorem 4.3. Let ip he a formula o/>C KD (S) in which every top-level occurrence of a subformula 
Xip is positive; then tp is valid in M.£,{Ti) if and only if tp is provable in the axiomatization AX 
augmented with axioms AX D . 

Proof. Let tp be of the required form. By Lemma A.2, Tp is also of the required form, and moreover 
is such that negations only appear in front of p, Ob(p), or Xip. Since each occurrence is Xip in Tp 
is positive, this means that every Xip appears unnegated in Tp. Let M = (S, it, D) be an arbitrary 
model in .M £>(£), and let Mjy = (S,ir,D') be the corresponding model for D' D D. We claim 
that for all s G S, (M, s) \= Tp if and only if (M^,s) |= Tp. This is easily established by induction 
on the structure of Tp. (The key point is that we do not need to consider the case -iXip, which is 
guaranteed not to occur in Tp.) Since s was arbitrary, we have M \= Tp if and only if Mr>> \= Tp. 
Now, assume tp is valid in .M /)(£). Let Mr>' = (S, ir, D') be an arbitrary model in A4dc(E>), and 
let M = (S, it, D). Since Tp is valid in Md{^), M \= Tp; by our result above, Mrj' \= Tp. Since 
Mryi was arbitrary, we have Tp is valid in M dc(S). 
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Conversely, assume ip is provable in the axiomatization AX augmented with axioms AX^. By 
Theorem 4.2, <p is valid in Mdc(^)- Since Md{^) Q Mdc{^), then ip is certainly valid in 
Md- □ 



B Proofs for Section 5 

We assume the terminology and notation of [Fagin, Halpern, Moses, and Vardi 1995] for the modal 
logic of knowledge over an arbitrary equivalence relation; we call this logic C K , and let /, g range 
over formulas of £ K . (This notation will let us distinguish £ K formulas from £ KD (£) formulas 
when they occur in the same statements.) The logic £ K is interpreted over £ K -structures, that is, 
Kripke structures (S, IC, ir) with an arbitrary equivalence relation IC over the states that is used to 
interpret the modal operator; the satisfaction relation is written (M, s) \= K f, and is defined just 
like |=, but using the equivalence relation JC over the states rather than the ~ relation, and without 
the X and Ob operators. We write )C(s) for {V | (s, s') G IC}. The following small model result 
for £ K , due to Ladner [1977], is central to most of the proofs in this section. 

Theorem B.l. [Ladner 1977] Given f an £. K formula, if f is satisfiable, then f is satisfiable in an 
C K -structure M = (S, IC, ir) where \S\ < \ f\, and IC is the universal relation, that is, K, = S x S. 

Our result will follow by relating the complexity of £ KD (S) to the complexity of C K . We 
can easily reduce the decision problem for C K to our logic, by simply ignoring the Xip formulas. 
Consider the following construction. Let / be a formula of C K . Let pi,... ,Pk be the primitive 
propositions appearing in /. We first come up with an encoding of these primitive propositions 
into the language of S. For example, we can take p\ to be true, p2 to be not(true), p% to be 
not(not(true)), and so forth. Let t p be the term encoding the primitive proposition p. Let / be the 
formula obtained by replacing every instance of a primitive proposition p in / by t p . Note that \ f\ 
is polynomial in |/|, and that / contains no instance of the X operator. 

Lemma B.2. Given f an C K formula, and given D an arbitrary KD deductive system over E, the 
following are equivalent: 

(1) / is satisfiable in an C K -structure; 

(2) / is satisfiable in A1d(E); 

(3) / is satisfiable in .A4($]). 

Proof. (1) (2): Assume / is satisfiable in an £ K -structure. By Theorem B.l, we know that there 
exists an £ K -structure M = (S, IC, ir) where JC is an equivalence relation on S and (M, s) \= K f 
for some s £ S. 6 Let {[s];c | s <G S} be the set of equivalence classes of IC, of which there are 
at most |/|. We encode these equivalence classes using an encoding similar to that for primitive 
propositions. Let false, not(false), not(not(false)), ... be an encoding of these equivalence classes, 
where we denote by t s the encoding of [s}jc- Thus, (s, s') G K, if and only if t s = t s >. Construct 
the deductive algorithmic knowledge structure M' = (S f , ir', D), where S' = {(s, {t s }) \ s G S}, 

6 While Theorem B.l says that the equivalence relation K, can be taken to be universal, we will not take advantage of 
this in this proof or the proof of Lemma B.3. This is in order to simplify the generalization of these proofs to the multiple 
agents case (Theorem 6.4). 
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and 7r' is given as follows. For a term t p and state s, vr'((s, {i s }))(*p) = tt(s)(p). For all other 
terms t, we take vr'((s, {t s }))(t) = false. It is easy to check by induction on the structure of / 
that if (M, s) |= K /, then (M', (s, {i s })) |= /. Here are the interesting cases of the induction. 
If / is a primitive proposition p, then by assumption, (M,s) \= K p, so ir(s)(p) = true; thus, 
^'((S) {*s}))(*p) = true, and (M', (s, {t s })) \= t p . If /is then by assumption, (M, s) ^ K Kg, 
so that for all s' G /C(s), (M, s') \= K g. By the induction hypothesis, we have for all s' G /C(s), 
(M', (V, {£</})) |= 5, which is equivalent to saying that for all (s', {t s >}) ~ (s, {t s }) (since t s > = t s 
exactly when s' G JC(s)), (M', (s 1 , {t s >})) |= g, and thus (M', (s, {t s })) \= Kg, as required. 

(2) => (3): This is immediate, since M D (T,) C .M(E). 

(3) =>■ (1): Assume / is satisfiable in a deductive algorithmic knowledge structure M = 
(S,ir,D'), that is, (M,s) \= f for some s G S. Construct the £ K -structure M' = (S,)C,it') 
by taking 7r'(s)(p) = true if and only if ir(s)(t p ) = true, and taking K, to be ~. It is easy to check 
by induction on the structure of / that if (M, s) (= /, then {M\ s) ^ K /. Here are the interesting 
cases of the induction. If / is a primitive proposition p, then by assumption, (M, s) \= t p , so that 
7r(s)(t p ) = true. Thus means 7r'(s)(p) = true, and thus (M f , s) \= K p. If / is Kg, then by assump- 
tion, (M, s) \= Kg, that is, for all s' ~ s, (M, s') \= g. By the induction hypothesis, this yields for 
all s' ~ s, (M f , s') \= K g, which is equivalent to the fact that for all s' G JC(s), (M', s') \= K g, that 
is, (M', s) |= K Kg, as required. □ 

Lemma B.2 says that we can relate the satisfiability of an arbitrary formula of £ K to that of a 
formula of C KD . We can similarly relate the satisfiability of an arbitrary formula of C KD to that of 
a formula of C K , in much the same way. More precisely, given 99 G £ KD (S), let (p be defined as 
follows. The set T| is countable, so let {pt \ t G T|} be a countable set of primitive propositions 
corresponding to the ground terms of T^. Similarly, the set of formulas {Xip \ tp G £ KD (£)} is 
countable, so let {q^ | tp G £ KD (£)} be a countable set of primitive propositions where corre- 
sponds to the formula Xtp. Finally, let {r t \ t G T|} be a countable set of primitive propositions 
where r t corresponds to the formula Ob(t). Let ip be the translation of tp obtained by replacing 
every occurrence of a term t in T| by p t , every occurrence of a formula Xtp by the corresponding 
q^p, and every occurrence of a formula Ob(t) by the corresponding r t , in conjunction with formulas 
r t 4^ Kr t for all observations Ob(t) appearing in tp, formulas q^ 43- Kq^ for all Xtp appearing in 
<p, and formulas r t => qob{t) f° r ai l observations Ob(t) appearing in tp. This translation is essen- 
tially£ompositional: 991 A tp2 is logically equivalent to tpi A tp 2 , ^tp is logically equivalent to -k/5, 
and Kip is logically equivalent to Kip. Note that \<p\is polynomial in \tp\. 

Lemma B.3. If tp £ >C KD (S), then tp is satisfiable in M(E) if and only if tp is satisfiable in an 
C K -structure. 

Proof. Assume tp is satisfiable in M(T,), that is, there is a deductive algorithmic knowledge struc- 
ture M = (S, ir, D) such that (M, s) \= tp for some s G S. Construct an £ K -structure M' = 
(S,K.,TT f ) by taking 7r'(s)(p t ) = vr(s)(t), tt'(s)(^) = true if and only if (M, s) |= Xtp, tp'(s)(r t ) = 
true if and only if (M, s) \= Ob(t), and K, is simply ~. It is easy to check by induction on the 
structure of tp that if (M, s) \= tp, then (M', s) \= K tp. Here are the interesting cases of the induc- 
tion. If tp is a ground term t, then by assumption, (M, s) \= t, and ir(s)(t) = true. This yields 
ir'(s)(pt) = true, and (M', s) \= K p t . If tp is Xtp, then by assumption, (M, s) |= Xtp, and there- 
fore 7r'(s)((/^) = true, so that (M f , s) \= K q^. If tp is Ob(p), then by assumption (M, s) |= Ob(p), 
therefore 7r'(s)(r p ) = true, so that (M', s) \= K r p . If tp is then by assumption, (M, s) |= 
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that is, for all s' ~ s, (M, s') \= ip. By the induction hypothesis, and the definition of /C, we have 
for all s' G ]C(s), (M', s') \= K tp, that is, (M', s) \= K Kip, as required. 

Conversely, assume ip is satisfied in some £ K -structure. By Theorem B.l, we know that there 
exists an £ K -structure M = (S,K,tt) where |5| < \<p\ and (M, s) ^ K <f for some s G S. Let 
{[s]ic | s € <S} be the set of equivalence classes of K., of which there are at most \(p\, which is poly- 
nomial in \ip\. Let t\, t2, ■ ■ ■ be an encoding of these equivalence classes using terms ti G T| such 
that no Ob(ti) appears in ip. We denote by t s the term encoding the class [s]fc- Thus, (s, s') € /C if 
and only if i s = t s >. For every world s £ S, let O(s) = {p | n(s)(r p ) = true, 06 (p) appears in ip}. 
In some sense, 0(s) represents the observations made at s. By the construction of (p, if (s, s') € /C, 
then 0(s) = O(s'): assume f G 0(s); then (M, s) (= 06(r t ), and thus (M, s) \= KOb(r t ) 
(since (M, s) \= (p), so that (M, s') |= Ob(r t ), and t G O(s'); the result follows by sym- 
metry of K. Construct the deductive algorithmic knowledge structure M' = (S',ir f ,D), where 
S' = {(s, {t s } U 0(s)) | s G S}, and ir' is obtained by taking tt'((s, 0))(t) = true if and only 
if ir(s)(p t ) = true. Finally, take D = {({t s },ip T ) \ Tr(s)(q^) = true}. It is easy to check by 
induction on the structure of tp that if (M, s) \= K <p, then (M', (s, {t s } U O(s))) |= Here are 
the interesting cases of the induction. If 99 is a term t, then by assumption, (M, s) \= K pt, so that 
n(s)(p t ) = true. Thus, we have vr'((s, {t s } U 0(s)))(t) = true, and (M' , (s, {t s } U O(s))) |= i. 
If (p is then we have by assumption (M, s) \= K q^, and so ir(s)(q 1 p) = true, meaning that 
({t s },ifj T ) is a deduction rule in D, and thus (M', (s,{t s } U 0(s))) ^ X^. If ip is 06(t), 
then by assumption (M,s) \= r t , so that ir(s)(rt) = true. Thus, t G O(s), and therefore 
(M',(s,{t s }uO(s))) \= Ob(t).If<pis Kip, consider an arbitrary s' such that (V, {t s >} U 0(s')) ~ 
(s, U O(s)). This certainly implies, by the assumptions on the encoding, that t s = t s >, and thus 
s' G JC(s). By the fact that (M, s) |= Kip, we have (M, s') (= ^, and by the induction hypothesis, 
(M',{t s /}UO(s')) 1=^. Since s' was arbitrary, we get (M', {t s } L)O(s)) |= K^, as required. □ 

Theorem 5.1. 77ze problem of deciding whether a formula ip of £ KD (£) /s satisfiable in is 
NP-complete. 

Proof. For the lower bound, we show how to reduce from the decision problem of C K . Let / be a 
formula of £ K . By Lemma B.2, / is satisfiable if and only if / is satisfiable in M(T,). Thus, the 
complexity of the decision problem for £ K is a lower bound for our decidability problem, that is, NP. 
For the upper bound, we need to exhibit a nondeterministic polynomial time algorithm that decides 
if ip G £ KD (£) is satisfiable. We will use the decision problem for C K itself as an algorithm. By 
Lemma B.3, ip is satisfiable if and only if (p is satisfiable, so we can simply invoke the NP algorithm 
for C K satisfiability on ip. □ 

Theorem 5.2. For any given S U S KD -deductive system D, the problem of deciding whether a 
formula ip ofC KD (T,) is satisfiable in .M_d(X) is NP-hard. 

Proof. The lower bound follows from Lemma B.2. Let / be an C K formula; / is satisfiable if and 
only if / is satisfiable over Md(^) structures. Since the decision problem for C K is NP-complete, 
the lower bound follows. □ 

The following small model result for £ KD (S) over M^iTP) is needed in the proof of Theo- 
rem 5.3. Define the size \M\ of a model M to be the sum of the sizes of the states, where the size 
of a state (e, {pi,... ,p k }) is 1 + \pi\ H h \pk\- 
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Lemma B.4. Let P(x) be a polynomial. If ip is satisfiable in M G M. D (£), then ip is satisfiable 
in a structure M' G .M^'^'^E) with |M'| polynomial in \<p\. 

Proof. Assume ip is satisfiable in some structure M. Let M\ = (Si, /Ci, 7Ti) be the £ K -structure 
obtained by the construction in Lemma B.3, with (Mi, si) \= K (p, for some si = (e, O) in S\. By 
Lemma B.l, we know that ip is satisfied in an £ K -structure M 2 = (S^, /C 2 , 7r 2 ) where jS^I < \<p\, 
K.2 is a universal relation on S2 (that is, /C 2 = S2 x S2), and (M 2 , s 2 ) ^ K f° r some s 2 G ^. We 
reconstruct a satisfying deductive algorithmic knowledge structure from M 2 . Specifically, define 
M' = (S',tt',D) by taking S' = {(s,0) \ s e S 2 } (where O is the set of observations at state 
si), and vr'((s, 0))(t) = 7r 2 (s)(pt). Because the construction of Lemma B.3 does not change the 
number of observations at a state and M 6 A4 P ^\ we have < P(|</?|), and thus J^peoH — 
P(\tp\). Thus, \M'\ is polynomial in |S2|-P(M) < |¥>I-P(M)> tnat i s > polynomial in \ip\, as required. 
A straightforward induction on the structure of ip shows that if (M, s) \= ip (or equivalently, by 
Lemma B.3, (Mi,s±) \= K (p for some si), then (M', (s2,0)) |= V 9 ' f° r some s 2 - Here are the 
interesting cases of the induction. If ip is a ground term t, then (Mi, si) |= Pt, and 7Ti(si)(pt) = 
true; this means that 7r 2 (s 2 )(pt) = true (by construction of M 2 ), so that 7r'((s 2 , 0))(t) = true, 
and (M', (s 2 , O)) |= t. If 99 is X^, then by the fact that (M, s) \= Xijj, and that s = (e, O), we 
have {ob(p) p e O} h fl and thus, (M',(s 2 ,0)) |= X^, since the same observations are 
used at s 2 . Similarly, if <p is Ob(t), then (M, s) \= Ob(t), and if s = (e, O), then t £ O, and 
thus (M', (s 2 , O)) |= Ob(t), since the same observations are used at s 2 . Finally, if ip is X^, then 
consider an arbitrary s' such that (s',0) ~ (s 2 ,0); since all states have the same observations, 
s' can be arbitrary in S' 2 . Since /C 2 was the universal relation on S2, we have s' G /C 2 (s 2 ). By 
assumption, we know (Mi,si) \= K Kip, and thus (M 2 ,u; 2 ) (= K AT?/;, so that (M 2 ,s') |= K ip. By 
the induction hypothesis, (M', (s', O)) |= -0, and since s' was arbitrary, (M f , (s 2 , O)) |= iv~?/>, as 
required. □ 

Theorem 5.3. For any given £ U S KD -deductive system D that is decidable in nondeterministic 
polynomial time and for any polynomial P{x), the problem of deciding whether a formula ip of 
£ KD (£) is satisfiable in M%- M \e) is NF '-complete. 

Proof. The lower bound is given by Theorem 5.2. For the upper bound, we can do something 
similar to what we did in Theorem 5.1, except we need to keep track of the size of the objects 
we manipulate. Let i^bea formula of £ KD (£). We exhibit an algorithm that nondeterministically 
decides if <p is satisfiable. From Lemma B.4, it suffices to nondeterministically guess a satisfying 
structure M with a set of worlds polynomial in \ip\, which is guaranteed to exist if and only if ip is 
satisfiable. Moreover, for every subformula Xtp of ip (of which there are polynomially many) and 
every state s of M (of which there are polynomially many), we nondeterministically guess whether 
the observations at s (of which there are polynomially many) can derive ip . We can verify that p 
is satisfied in M in time polynomial in \ip\, by adapting the polynomial time algorithm of [Halpern 
and Moses 1992, Proposition 3.1]. Roughly speaking, the algorithm consists of enumerating all the 
subformulas of p, and for each subformula ip (in order of length), marking every state of M with 
either ip or ->ip depending on whether ip or ->ip holds at the state: primitive propositions are handled 
by invoking the interpretation, formulas of the form Xip' are handled by verifying if the guess of 
whether ip' T is derivable from the observations at the state is correct, formulas of the form Ob (p) 
are handled by looking up p in the observations at the state (the number of which is polynomial in 
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\<p\), conjunctions and negations are handled in the obvious way, and formulas Kip' are handled by 
looking up whether every reachable state from the current state is marked with ip'. □ 

C Proofs for Section 6 

Theorem 6.2. The axiomatization AX n is sound and complete for with respect to M. n {TP). 

Proof. This is a generalization of the proof of Theorem 4.1. Soundness is easy to check. For 
completeness, we again show that if ip is consistent, then ip is satisfiable. We give the definitions 
here, leaving the details of the proof to the reader. Given a set V of formulas, let V/Ki = {ip | 
Knp G V"}. Let C be the set of all maximal consistent sets of formulas of For V G C, let 

V/ Obi = {p | Obiip) G V}. We define s=3j over C, for every i, by taking V ~j U if and only if 
V/Ki C U. We can check that Wj is an equivalence relation for every i, assuming the axioms Kl- 
K5, just like in the proof of Lemma A.l. We can also check that if V ~j U, then V j Obi = U/ Obi, 
and that for all ip, if V U, then Xiip G V if and only if AjV G f ■ 

As mentioned, this is a generalization of the proof of Theorem 4. 1, in that the satisfying model is 
built from maximally consistent sets of formulas. However, it is not simply a direct generalization. 
For Theorem 4.1, it was sufficient to consider a single equivalence class of the relation « as the set 
of states: all the states could be assumed to have the same observations, thus ~ could be taken to be a 
universal relation in the canonical model. That this can be done is strongly related to Theorem B.l, 
which says that if a formula of C K is satisfiable at all (in an £ K -structure), it is satisfiable in a 
structure with a universal relation. That result does not hold, however, when we consider multiple 
agents. This makes the argument slightly more complex. 

Let ip be a consistent formula of £™(S), and let Sub(tp) be the set of subformulas of ip (includ- 
ing ip itself). Let = {p \ Obi(p) G Sub(ip), for some i}, X v = {ip \ Xiip G Sub(<p), for some i}, 
and K^ = {ip \ K { ip G Sub(<p)}. Clearly, O^, X^, and K^ are finite sets. First, we claim that 
any consistent set of formulas F (with F j Obi C for all i) can be extended to a maximally 
consistent set F' (with F' / Obi ^ O v for all i): construct the set F" incrementally starting with F, 
adding Ob(p) for every observation p G if Ob(p) is consistent with the current set, and adding 
^Ob(p) for every observation p either not appearing in O v or inconsistent with the current set; it 
is easy to establish that F" is consistent, so F" is extensible to a maximally consistent set F' with 
F' j Obi Q O v for all i. Let C(<p) be the set of all maximally consistent sets of formulas F with 
F/ Obi Q O v for all i. We shall use C(ip) as our states. The fact that we consider C(p) means, 
roughly, that we consider only observations in O v as relevant. 

The set X v is finite, so let S\, . . . ,S 2 \x<p\ be an enumeration of the subsets of X v . Let 
pi, . . . ,p 2 \xv\ be a set of primitive propositions not in O v , where we associate pi with Si. De- 
fine the function tag x (V) mapping every set V G C(ip) to the primitive proposition corresponding 
to the set (U^V/Xi)) n X^ where V/Xi = {ip \ X { ip G V}. Thus, tag x (V) gives the primitive 
proposition corresponding to the formulas in X v that appear under an Xi in V. 

In a similar way, the set K v is finite, so let Ti, . . . , T 2 \kv\ be an enumeration of the subsets 
of Kf. Let qi, . . . , q 2 \xv\ be a set of primitive propositions not in O v or {pi, . . . ,p 2 \xv\ }, where 
we associate % with Tj. Define the function tag K {V) mapping every set V G C(ip) to the prim- 
itive proposition corresponding to the set (L)i(V/Ki)) H K v . Thus, tag K (V) gives the primitive 
proposition corresponding to the formulas in K v that appear under an Ki in V. 
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Since <p is consistent, there is a set V v G C(ip) with ip G V^. Define the deductive algorithmic 
knowledge structure M<? = vr^, Df,..., Df) by taking 

= {(sy, {tag x (V), tag K (V)} U V/Ob u 



We can check that is a deductive algorithmic knowledge structure with n agents. Moreover, it 
is easy to check that if sy ~? sjj in M^, then for all ip G X v , X; L ip G V if and only if X{ip G [/. 
(Indeed, if sy ~j S[/, then tag x (V) = tag x (U), and the result follows from the choice of tags.) 
Clearly, we also have that if V ~« U, then sy ~j sjj- we already know that V ~j J7 implies 
V/ 06 j = £// 06 i, and V «j {/ means that the same A"^ formulas are in V and U, and therefore, 
we also have tag x (V) = tag x (U), and similarly the same -fT^ formulas are in V and [/ and 
tag K (V) = tag K (U), and thus sy ~j S[/. Moreover, we have that if su ~j sy, then the same Kip> 
are formulas are in U and V, since tag K (U) = tag K (V). 

We can prove, adapting the proof of Theorem 4.1, that for all sy G S v and all subformulas 
ip G Sub(ip), (M v , sy) |= V if and only if ^ G V. Here are the interesting cases of the induction. 

For Obi(p), first assume that (M^sy) |= 06j(p). This means that p G V j Obi (since 
tag^V), tag^V) g" O^, we cannot have p = tag x (V) or p= tag K (V)), and thus 06j(p) G V. 
Conversely, if 06j(p) G V, then p G F/O&i, so that (M^, s v ) \= 06j(p). 

Now, consider a deductive algorithmic knowledge formula Xip. First, assume that we have 
(M^,s v ) \= Xiip. By definition, {obi{tag X {V)) , oh^tag K {V))} U {ob;(p) | p G F/06J h D? 

ip T . If ^ is 06j(p) for some p G V j Obi (we cannot have p = tag x (V) or p = tag K (V), by 
choice of tags), then (M^,sy) |= 06j(p), and thus 06j(p) G V by the induction hypothesis; by 
X2, Xj Obi{p) G V. Otherwise, consider the derivation of ?/> • By examination of Df, the last rule 
in this derivation must have obi(tag x (V)) in the premise (since there is a single tag in the premise 
of every rule, and the tag at state V is tag x (V)). By definition of Df, this means that Xiip G V, 
as required. Conversely, assume that X^ip G V. By definition of Df, ({obi(tag X (V))} U {obj(p) | 
p G V/Obi},ip T ) G Df, and thus {obi(tag X (V))} U {obi(p) | p G F/06J h Df V> T , meaning 
that (M^, sy) |= Xiip. 

For a knowledge formula Kiip, the argument is similar to that in the proof of Theorem 4.1. 

Completeness follows from the fact that ip G V v and ip G Sub(ip), so that (M 1 ^, sy) |= tp, and 
thus 99 is satisfiable. □ 

Theorem 6.3. The axiomatization AX n augmented with axioms AX^ 1 , . . . , AX^ n is sound and 
complete for £™(£) with respect to A4£>i,...,d„c(S). 

Proof. Soundness is again straightforward. For completeness, we prove the equivalent statement 
that if p is consistent then ip is satisfiable in some structure in A1di,...,d„(S). The procedure is 
exactly the one that is used to prove Theorem 6.2, except that we construct the deductive systems 



We simply indicate where the proof differs from that of Theorem 6.2, and let the reader fill 
in the details. We construct, for a given p, a deductive algorithmic knowledge structure with n 



{ta 9x (V), tag K {V)} U V/06 n ) | V G C(<p)} 




Df = {({obi(tag x (V))}UV/Obi,ip T ) | 

V G C(<p), Xiip G Sub(ip), Xiip G V}. 



Df,...,D% differently. 
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agents M v = (S^, vr v , Df,..., D£), where S* and ^ are constructed as in Theorem 6.2, and 
Df, . . . , Dn are obtained by taking Df to be 

A U {({ob(tag x (V))} U V/O&i, V> T ) 

V £ C{(p),Xiil) £ Sub(ip),Xiip £ V}. 

is a deductive algorithmic knowledge structure in M.D 1 ,...,D n c('^)- As in the proof of Theo- 
rem 4.2, we can show that if {obi(tag x (V))} U {obj(p) | p € V/ Ofrj} ■0 T , f° r some tp £ X 1 ^, 
then there is a rule {obi(tag x (V))} U {obj(p) | p e V/ 06j} > ip T in £)J\ The argument is quite 
similar, by showing that if {obi(tag x (V))} U {obj(p) \ p £ V/ Obi} \~D X V' 1 \ then must be in 
V". Once this is established, the rest of the proof follows that of Theorem 6.2. □ 

Theorem 6.4. If n > 2, the problem of deciding whether a formula tp of £™(£) is satisfiable in 
M n (Z) is PSPACE-complete. 

Proof. The proof is entirely analogous to that of Theorem 5.1, except that we use the modal logic 
Cf t rather than £ K . We can define translations between £™(£) and and we can prove analogues 
of Lemmas B.2 and B.3. We simply give the translations here, leaving the reader to fill in the details. 

Let / be a formula of Let pi, . . . ,pk be the primitive propositions appearing in /. We first 
come up with an encoding of these primitive propositions into the language of S. For example, we 
can take p\ to be true, p2 to be not(true), ps to be not(not(true)), and so forth. Let t p be the term 
encoding the primitive proposition p. Let / be the formula obtained by replacing every instance of a 
primitive proposition p in / by t p . Note that | / 1 is polynomial in | / 1 , and that / contains no instance 
of the X operator. We can show that / is satisfiable in /^-structures for n agents if and only if / is 
satisfiable in M n (T,), with a proof similar to that of Lemma B.2. This gives us an immediate lower 
bound, as follows. Let / be an formula. We know / is satisfiable if and only if / is satisfiable 
over M n (T,) structures. Since the decision problem for Cf t (n > 2) is PSPACE-complete, the lower 
bound of PSPACE follows. 

Let ip be a formula of £™(S). The set T| is countable, so let {pt \ t £ T|} be a countable 
set of primitive propositions corresponding to the ground terms of T^. Similarly, for every i, the 
set of formulas {X^ \ ip £ £™(£)} is countable, so let {q^ \ ip £ be a countable 

set of primitive propositions where q\ corresponds to the formula Xitp. Finally, let \r\ \ t £ 
T|} be a countable set of primitive propositions where r\ corresponds to the formula Obi(t). Let 
if be the translation of ip obtained by replacing every occurrence of a term t in T| by p t , every 
occurrence of a formula Xiip by the corresponding q 1 ^, and every occurrence of a formula Obi(t) by 
the corresponding r\, in conjunction with formulas r\ -fQr* for all observations Obi(t) appearing 
in ip, formulas q^ 4^ Kiq 1 ^ for all formulas Xiip appearing in ip, and formulas r\ q l 0b .r t \ for all 
observations Obi(t) appearing in ip. Note that \ip\ is polynomial in \ip\. We can show that p is 
satisfiable in M n (T>) if and only if tp is satisfiable in an £^-structure, using a proof similar to that 
of Lemma B.3. This gives us an immediate upper bound for our decision problem: p is satisfiable 
if and only if tp is satisfiable, so we can simply invoke the PSPACE algorithm for satisfiability 
on (p. □ 
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